Problem solve Get help with specific problems with your technologies, process and projects.

Three resources for delegating rights

How would you go about implementing security based on the principle of least privilege for a helpdesk staff in an eight domain forest? I have granted and denied rights over certain OUs through delegation or security settings. Those that are on the helpdesk also maintain user shares, backup operations, enterprise AV, etc which falls over into file and data security. I would rather not become too granular with this because of documenting and reporting on the configuration is difficult, unless you have a way to list all user security and privileges. I do not believe that my efforts have been in vain, but I would like to get your input so that I can verify and strengthen my work.
I'd start, like it appears you did, by determining what the helpdesk needs to do and then delegating these rights only over the OUs that they need them for. Three important resources that may help you are the best practices guides and appendices for delegating rights and the tool dsrevoke.exe. Dsrevoke.exe can be used to list (help you create reports) delegated rights in Active Directory and also to remove delegated rights.

Dig Deeper on Windows 10 security and management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.